Office of the Superintendent of Financial Institutions
Internal Audit conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada’s (OSFI’s) risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations.
An audit of Capital Division was approved by the OSFI Audit Committee and the Superintendent for inclusion in the OSFI 2012-13 Internal Audit Plan.
This report presents the results of that audit based on audit work completed at the end of September 2012. The audit recommendations will support the Capital Division to continuously improve their control framework for Rule Making.
This report was presented to the OSFI Audit Committee and approved by the Superintendent on November 23, 2012. The Assistant Superintendent, Regulation Sector, and Capital Division Senior Management, who have provided their management comments within this report, have also reviewed it.
The Capital Division under the Regulation Sector is responsible for setting rules and related prudential standards for capital that FRFIs are required to hold.
The Capital Division, headed by a Senior Director, is organized by Banking (Deposit Taking Institutions) and Insurance (Life Insurance, and Property and Casualty Insurance) under Managing Directors.
This year, Capital Division formed a new group called “Quantitative Analysis” to address the increasing need for OSFI to proactively understand and quantify risk and the impact of its capital policies. Additionally, Capital Division formed the “Insurance Models and Mortgage Insurance” group to address the volume and higher profile of insurance model work. A new resource was added to the group due to OSFI’s added regulatory responsibilities related to Canada Mortgage and Housing Corporation.
Capital Division supports OSFI’s mandate by undertaking the following four main objectives and related activities:
The last audit Internal Audit completed in Capital Division was the Capital Precedents Framework (design) audit (October 2006).
The objective of the audit was to provide reasonable assurance of:
Internal Audit selected Capital Division Rule Making for its review due to the activity’s importance to OSFI’s mandate, as capital rules and related prudential standards and guidelines are foundational to the way OSFI regulates and supervises FRFIs, and due to the increasingly volatile, complex and globalized nature of rule-making.
The audit covered rule-making activities for Deposit Taking Institutions, Life Insurance companies, and Property and Casualty Insurance companies and was assessed based on Capital Division’s November 2010 Rule Making Framework, as well any improvements made, underway or planned, since that time.
The audit focused on the underlying Rule Making and Expedited Rule Making processes and related procedures and aids/tools used for the period from January 1, 2011 to July 31, 2012, and included published and in-progress rules, prudential standards, and guidance.
Rule-making guidance is broken into:
Matters outside of the scope of this audit include:
The audit was conducted in accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Policy on Internal Audit.
The audit criteria used, as set out in Appendix 1 – Audit Evaluation Criteria, were structured into three sections consistent with the Government of Canada directives for reporting on risk management, governance and control processes and formed the basis for assessing the Capital Division Rule Making process and its application. These criteria incorporated the following Government of Canada and OSFI policies, directives and guidance:
The audit also incorporated the Treasury Board Secretariat, Internal Audit Sector “Core Management Control Framework” guidance and internationally recognized Committee of Sponsoring Organizations of the Treadway Commission (COSO) control framework, as adapted to OSFI’s business and risk environment.
In applying the audit criteria, Internal Audit looked for the existence of the control criteria and whether they had been operationalized (i.e. in place, communicated, understood, and implemented).
The audit involved three methods of examination:
The audit work was conducted on a collaborative basis. The results of the reviews and interviews were combined to ensure a balanced assessment of the Capital Division in providing rule-making services.
The Capital Division Rule Making Framework is appropriately designed and, based on our sample tests, being applied appropriately to ensure rule-making is completely and accurately processed and decisions made are reviewed and approved with supporting information and documentation.
We found within the Rule Making Framework effective policy, procedures and practices over planning, and the development and issuance of guidance. For example:
As outlined in this report, there are two areas that need the attention of management:
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined.
The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit, and the procedures used meet the professional standards of the Institute of Internal Auditors. The evidence has been gathered to be sufficient to provide senior management with the proof of the opinion derived from the internal audit.
We wish to recognize the excellent collaboration throughout the audit, especially management briefings on the process followed and timely access to the supporting information and documents.
Line for Chief Audit Executive Signature_________________________________
Chief Audit Executive, IA
Line for Date_________________________________
This report has been reviewed by the Senior Director, Capital Division, and the Assistant Superintendent, Regulation Sector, who acknowledge its observations and recommendations.
The recommendations will support the Capital Division in keeping the currency of rule-making information and documents in OSFI’s centralized Electronic Document Management System, and strengthening its Rule Making Framework guidance in risk management.
The Capital Division wishes to express its many thanks to the audit team for the professional, clear, and transparent way in which they conducted their audit. We agree with the recommendations of the audit team and will implement them by December 31, 2012.
Based on our review of the Capital Division Rule Making Framework and our sample test results, we found that the Framework design and its application are appropriate to ensure rule-making is completely and accurately processed and decisions made are reviewed and approved with supporting information and documentation. The application of the Framework demonstrated the core values of clarity, transparency and timeliness in developing and publication of capital rule guidance.
However, in our review we noted that some research, background documents, and correspondence on active rule-making files are saved on staff computers and transferred to EDMS, OSFI’s Electronic Data Management System, when the file is less active (i.e. near completion) or finalized.
Furthermore, we noted that some Capital Division staff access EDMS through Livelink Explorer (Explorer), rather than through EDMS Browser (Browser), where the main file is located. While this was an acceptable practice in the past, this has become an issue since the office-wide migration to Windows 7, as Explorer no longer synchronizes with the Browser automatically for new versions of existing files. As a result, multiple versions of the same file may exist independently from the main file on the Browser.
Based on our discussions with IM/IT, users of Explorer must manually synchronize the Browser each time a new file version is created or updated. However, based on our discussions with management, Capital Division staff was not aware of these additional procedures. That means that staff sharing files throughout the rule-making process may not be accessing the most current version if the files were not synchronized with the EDMS Browser.
As a result, rule-making information, including the record of decisions made throughout development, may not be readily available, current, or could be compromised, affecting the timely production of capital rules and future rule development.
IA recognizes that Capital Division management responded immediately to the concern of the currency of files on the Browser by advising Capital Division staff of the importance of saving rule-making files in a timely manner onto the Browser, and providing instructions to ensure files in both the Livelink Explorer and EDMS Browser files are up to date.
The Capital Division should establish a closing file or post-publication “closing of file checklist” whereby management confirms that all relevant information related to rule-making has been filed in the Livelink Explorer and the EDMS Browser to provide a complete record of the rule-making process and decisions made throughout its development. We have shared a rule- making assessment checklist used during our audit as a starting point for designing a “closing of file checklist”.
Management Action Plan:
We are pleased that the audit team identified a Livelink/EDMS issue, which arose as a result of the office–wide migration to Windows 7. We were not aware of this issue prior to the audit and have taken immediate action to ensure past and future files are entirely synchronized between Livelink and EDMS.
On a go-forward basis, to further ensure files on the Electronic Data Management System are current, we will implement the file closing check list provided by the audit team. This procedure will be effective as of November 1, 2012.
OSFI implemented an Enterprise Risk Management (ERM) policy and process to identify, assess and mitigate its risks. Using the ERM guidance, individual divisions, such as the Capital Division, complete risk assessments, which are then consolidated into sector-level risk assessments (e.g. Regulation Sector), and finally, into an OSFI-level risk assessment.
During our review of Capital Division’s risk assessment process for rule-making, we noted that management reviews key risk areas and actions taken monthly through various levels of management meetings, including meetings with the Assistant Superintendent, Regulation Sector. We also noted that the Division conducts formal risk reviews annually by updating its risk register and reporting on key risks to senior management as part of corporate planning and priority setting.
Although we noted that the Capital Division Risk Register follows the ERM guidance, we identified other risks that we believe are relevant and important to rule-making, but were not in the Risk Register, specifically the information and management process, key internal control process, stakeholders, direct and indirect influencers and values. Furthermore, while we noted that the Rule Making Framework incorporated key controls to address the identified risks, we noted that the Risk Register did not reflect all of the Framework’s key controls.
Without identifying all relevant risks and mapping them to rule-making controls (e.g. policies, procedures, practices), the full extent and scope of risks associated with rule-making may not be identified and assessed, potentially impacting the Capital Division’s ability to ensure timely, clear and relevant publication of capital rules and related prudential standards, although the audit did not observe any deficiencies in these matters.
IA notes that OSFI has two initiatives underway that should provide additional guidance to Capital Division in completing its risk assessment. These include updated ERM guidance related to completion of risk registers and a draft Enterprise-wide Internal Control (EWIC) framework, which provides further guidance on risk and control assessment.
During the audit, IA worked with the Capital Division on risk assessment tools to identify risks relevant to rule-making (using ERM guidance) and to map them to a generic control structure (COSO-based) and draft impact statements (using draft EWIC guidance). These tools were useful in evaluating the rule-making control structure and the underlying processes, activities and practices. We support the Capital Division in incorporating these risk assessment tools into its Rule Making Framework.
The Capital Division should update its risk assessment to include all relevant risks and controls and update its risk register as appropriate.
As recommended by the audit team, the Capital Division will update its risk assessment that will also document risk controls. This will be done using the risk assessment tools used in the context of the audit, namely the COSO-based generic control structure and impact statement (using draft EWIC guidance). This will be completed by December 31, 2012.
We will ensure that this detailed risk framework is incorporated into the Regulation Sector risk framework. The timing will be determined in consultation with owners of the ERM and EWIC processes.